Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need assistance on monitoring traffic

Due to one of our VPN connections running slow at times, I am now trying to monitor the traffic that flows through our PIX 520 in order to find out who is using all of the bandwidth. Our PIX is running version 6.33 and PDM 3.01.

I thought that the PDM would allow me to see a more detailed look at the actual traffic itself but I now realize that its more for config changes and broader views of the traffic.

I’ve used the capture command on both the inside and outside interfaces during the period of heavy traffic to capture the frames for closer study. I’ve used the Ethereal software to take a look at the PCAP file that the captures produces but so far I haven’t been able to determine to whom the incoming packets are being sent to. This is because the incoming packets to the outside interface only have the outside IP address and the associated MAC address of the outside interface card on the PIX. What am I missing?

When I run the sh xlate command in the PIX, I see the IPs of the connected pcs and the associated port number that each person uses as listed as 192.168.X.XXX (XXX).

So my question is: Does anyone know, when viewing the PCAP file from a capture on the outside interface, a way to see who the packet was to be delivered to? Where within the packet is the port number so that I can look up the internal IP address via xlate?

Or am I simply spinning my wheels with this line of thinking? Is there an easier way via the PIX to determine who is using all of our bandwidth?

Thanks a ton for the help,

Todd B.

2 REPLIES
New Member

Re: Need assistance on monitoring traffic

syslog traffic through the pix at debug level. Let it be for an hour. Pull the resultant data into

You will see everything you need to see.

Re: Need assistance on monitoring traffic

Does anyone know, when viewing the PCAP file from a capture on the outside interface, a way to see who the packet was to be delivered to? Where within the packet is the port number so that I can look up the internal IP address via xlate?

A - A capture on your outside interface is probably showing all packets destined to and sourced from your PAT address. Assuming this is the same address you have config'ed on your outside interface, your trace is going to show this same address as the source and destination of all packets. However, the source port (outbound packets) and destination port (inbound packets) should be unique to each xlate. You could take this info and compare it to debug level syslogs to find out who was translated to the port in question on the PIX. But my guess is that this will be a very time consuming process. The port number will be in the tcp header in the packet. Ethereal should clearly show this in the output.

You mentioned doing a capture on the inside interface. This would probably be a better idea unless your bandwidth is getting eaten up by packets coming in from the outside but stopped by the PIX. The capture on the inside is going to see packets in their native form (no PAT) so it will be easier to track down.

Let us know if we can help.

Scott

87
Views
0
Helpful
2
Replies
CreatePlease to create content